CVE-2021-3393 - log back

CVE-2021-3393 edited at 11 Feb 2021 21:36:26
Description
- A security issue was found in PostgreSQL before version 13.2. If a cross-partition UPDATE violates a constraint on the target partition, and the columns in the new partition are in different physical order than in the parent, the error message can reveal columns that the user does not have SELECT permission on.
+ A security issue was found in PostgreSQL 11 to 13 before version 13.2. A user having an UPDATE privilege on a partitioned table but lacking the SELECT privilege on some column may be able to acquire denied-column values from an error message. This is similar to CVE-2014-8161, but the conditions to exploit are more rare.
References
+ https://www.postgresql.org/about/news/postgresql-132-126-1111-1016-9621-and-9525-released-2165/
https://github.com/postgres/postgres/commit/8e56684d54d44ba4ed737d5847d31fba6fb13763
CVE-2021-3393 edited at 11 Feb 2021 13:15:02
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Information disclosure
Description
+ A security issue was found in PostgreSQL before version 13.2. If a cross-partition UPDATE violates a constraint on the target partition, and the columns in the new partition are in different physical order than in the parent, the error message can reveal columns that the user does not have SELECT permission on.
References
+ https://github.com/postgres/postgres/commit/8e56684d54d44ba4ed737d5847d31fba6fb13763
Notes
CVE-2021-3393 created at 11 Feb 2021 13:12:57